Working to bootrom/bootload unlock playbook? What's your progress?
- After pulling out my sim card from my Z10 and putting the iPhone 4S back into commission, seeing your post is like a breath of fresh air. All I can say is staying faithful with the work involved here is logical as an exploit will eventually be found on this device.
Let me know if you are looking for any test takers.
loads of ifs and butts..... and its stuck with one thing HS documents, which we dont have.
so finding a logic is going to be extremely tough. because you need to run a binary disassembly on the loader and then find the logic. like you need to use ada arm hf dissembler. :-D get the idea and its not a week or month job. may take a month or two provided some hardcore dedicated work is going on. wish rim also used a bootrom chip like apple. bastids didnt. hence we are out of luck as of now, but not for long. as from monday will start the dis-assembly work. because both cryptanalysis and bruteforce will take a long time.
test takers? welcome onboard. you can run the same work what we do. we will soon notify advancements. i met a few new chaps who are hardcore in electronics. i asked them for help. they agreed. thats the good news.
thanks
-paulLast edited by quackquack147; 06-22-13 at 11:55 AM.
06-22-13 07:58 AMLike 0 - You have been granted access to the Project, QNX Operating System.
Visit the Project at foundry27 : Project Home
FIGHT!
thanks
-paulLast edited by quackquack147; 06-22-13 at 10:03 AM.
06-22-13 09:44 AMLike 0 -
-
my battle : rewrite the bootloader itself from scratch. :-D thus my battle starts where your battle ends.
its not against RIM, but its the thud punch to HS (high security).... aint easy.
which is why, this alliance forged. enemy of an enemy is a friend of yours.
besides you can have all the root and exploits and android you want. i need raw power i need unconditional access, so rooting is not my cup of tea. :-D
i.e. bootloader and nothing more. and next gsoc is may 2014. i got a plenty of time. but you are impatient. you need it fast. so i will try to unlock the code, cant promise how long it will take.
oh by the way enjoy the song ->
and those who wish to know cryptography and cryptanalysis? have a look here you will understand why is it so difficult to break this key
good luck!
thanks
-paulLast edited by quackquack147; 06-22-13 at 12:03 PM.
lexluthorxx likes this.06-22-13 11:43 AMLike 1 - your battle : either root it or find an exploit and run android. thats where your battle ends.
my battle : rewrite the bootloader itself from scratch. :-D thus my battle starts where your battle ends.
its not against RIM, but its the thud punch to HS (high security).... aint easy.
which is why, this alliance forged. enemy of an enemy is a friend of yours.
besides you can have all the root and exploits and android you want. i need raw power i need unconditional access, so rooting is not my cup of tea. :-D
i.e. bootloader and nothing more. and next gsoc is may 2014. i got a plenty of time. but you are impatient. you need it fast. so i will try to unlock the code, cant promise how long it will take.
oh by the way enjoy the song ->
thanks
-paul06-22-13 11:56 AMLike 0 - the wicker man! :-D the lighter side of BS! ;-)
thanks
-paul
dont forget to check those cryptanalysis and cryptography stuffs. they are extremely extremely juicy and power packed punch. but then again with that much power comes even greater responsibility.
so try to be gentoo... else you will burn yourself with your own power.
thanks
-paul06-22-13 12:14 PMLike 0 - adding more info.
OMAP4430_ES2.x_PUBLIC_TRM_vAE.pdf
pg 265 says it had 48 KB bootables rom.
and
pg 266 says L2 rom is only 16 KB
which mean the bootrom is either 48*8=384 kbits or 16*8=128 kbit.
why is this important?
L2 rom is the important one i will assume since it kicks off the second stage chain loader and the first stage loader
-rw-r--r-- 1 root root 20460 Jun 10 23:55 MLO
-rwxr-xr-x 1 root root 19940 Jun 10 23:55 x-load.bin
-rw-r--r-- 1 root root 20460 Jun 10 23:55 x-load.bin.ift
or ~ 20KB
lets assume its compressed and also strip command is issued with -O2 for gcc size optimization then it can fit in nicely within 16KB.
so the bootloader sits on L2 cache and its only 16K and its aided by a 64KB sram.
nice. getting close. i can smell it we are near the fresh meat. weeeee!
stay tuned for more findings. i like TI only for one thing. their docs are really really extensive and deep.
hence, conclusion is....
the bootloader which is MLO or x-loader.bin.ift which is compressed with lzma, which means it can be compressed even more and also the signature is padded in the first few blocks.
now comes a very important question. exactly how many bits/bytes are the signed pad.... i mean how many bits are padded as signature? if we know the length of that when cryptanalysis is much more easy to do.
now we know one thing. 3072 bit encryption cant reside on this.....
Key size - Wikipedia, the free encyclopedia
there is a ray of hope on this.....One of the asymmetric algorithm types, elliptic curve cryptography, or ECC, appears to be secure with shorter keys than those needed by other asymmetric key algorithms. NIST guidelines state that ECC keys should be twice the length of equivalent strength symmetric key algorithms. So, for example, a 224-bit ECC key would have roughly the same strength as a 112-bit symmetric key. These estimates assume no major breakthroughs in solving the underlying mathematical problems that ECC is based on. A message encrypted with an elliptic key algorithm using a 109-bit long key has been broken by brute force.[8]
i hope this is all the info you can digest for the day or rather i can read for now.
calling it a day.
thanks
-paul
p.s. but one more thing, look at page 265 there is a 48KB bootable rom i.e. 48*1024*8=393216 bits.
which is sufficient to hold the 3072 bit key + 20KB MLO/x-loader.bin.ift
which means we are in deep deep deep ...... sh!t.... if L1 cache is where bootrom resides. ;-) and cryptanalysis is next to impossible. ;-D
p.s. 2 there is more info i am adding. there is also L3 cache which has memory split like this. pg 271
L3 ocm ram, SAR ROM, SAR RAM & ocm ram is 56 KB.... 56 KB.... oh uh! bad news. and there is SAR (save and restore) ram which is 4KBand SAR RAM which goes for context saving which in offline mode. if my guess is right? this is the one (SAR RAM & SAR ROM) combination which does the hash and sign check.Last edited by quackquack147; 06-22-13 at 04:07 PM.
06-22-13 03:47 PMLike 0 - bootrom signed is 128 KB and padded and compressed and stored in emmc, and its the gpmc 48 KB rom which loads this and signs and checks. atleast thats what pg 281 says.
hope this helps
thanks
-paul06-22-13 06:00 PMLike 0 - WhiteSpir1t posted that via iOS apps we can control hardware directly. so this is also possible with bb native sdk or ndk, which is also confirmed by Nickstarmaster. now its a double confirmation. hope we find a buffer overflow or underrun for the HS registers. and then we will try to see if we can push an unsigned bootloader. bootloader is signed. and HS registers are controlled either via 16 KB rom or 48 KB rom or a 64 KB rom. we need to know the address base of these registers and then target an attack. else it will be a fruitless banana community mess aka bricked playbook. may be we can fork the bootloader.
synerworks also confirmed that there are traces which can/may be cut to get the raw cpu access. question is to cut which traces. its a booby trap.
loads of possibilities. we dont know whats what for sure.
thanks
-paul06-22-13 11:55 PMLike 0 -
thanks
-paul06-23-13 07:42 AMLike 0 -
Go to settings>sequrity>dev mode.
If u talk of adb logcat from android.
U can try ssh but then I don't know how to get the logs.06-23-13 07:48 AMLike 0 -
thanks
-paul06-23-13 08:01 AMLike 0 -
thanks for you support but maybe I was not so clear: it's the first boot for my PlayBook. I never booted it early because if I complete the setup it wants to upgrade to latest OS.
I asking if there is a way to enable the Development Mode from that situation otherwise I have no way to make the rooting. Right?06-23-13 08:09 AMLike 0 - Hi,
thanks for you support but maybe I was not so clear: it's the first boot for my PlayBook. I never booted it early because if I complete the setup it wants to upgrade to latest OS.
I asking if there is a way to enable the Development Mode from that situation otherwise I have no way to make the rooting. Right?
CPF a rootable os the enable dev mode. :thumbup:
Oh,danm I want root too.06-23-13 08:24 AMLike 0 - Hi,
thanks for you support but maybe I was not so clear: it's the first boot for my PlayBook. I never booted it early because if I complete the setup it wants to upgrade to latest OS.
I asking if there is a way to enable the Development Mode from that situation otherwise I have no way to make the rooting. Right?
this is why i never thought of rooting. because when there is a upgrade/update all rooting mechanisms dealt with too much force. i.e. you loose root and wait for someone else to root again.
thats why this approach.
thanks
-paul06-23-13 08:34 AMLike 0 - i know this much what dr_akula said. you can use cfp to downgrade the OS and then root it and forget an upgrade, if you do you will loose root. i am taking a different approach. i am not rooting the device. i am trying to take ownership of the bootloader. if we do so then we never ever need to worry about rooting again in future.
this is why i never thought of rooting. because when there is a upgrade/update all rooting mechanisms dealt with too much force. i.e. you loose root and wait for someone else to root again.
thats why this approach.
thanks
-paul
It was somewhere in rooting forum.06-23-13 08:36 AMLike 0 -
- Ssh thing.
Here it is http://forums.crackberry.com/showthread.php?t=640410
Not much u can do with it.
Everything is blocked.:banghead:06-23-13 08:51 AMLike 0 - Ssh thing.
Here it is http://forums.crackberry.com/showthread.php?t=640410
Not much u can do with it.
Everything is blocked.:banghead:
thanks
-paulDr_Acula likes this.06-23-13 09:02 AMLike 1 - Thanks to both ^_^ So I can make the update then later the downgrade? I am asking you that because since now I was thinking it is not possible... if so, let's upgrade :-)
Which one is for your the most reliable firmware for the downgrade? Did we have a also a packed CF for that?
Thanks06-23-13 09:45 AMLike 0 - Thanks to both ^_^ So I can make the update then later the downgrade? I am asking you that because since now I was thinking it is not possible... if so, let's upgrade :-)
Which one is for your the most reliable firmware for the downgrade? Did we have a also a packed CF for that?
Thanks
Root first06-23-13 09:46 AMLike 0
- Forum
- BlackBerry PlayBook Forums
- BlackBerry PlayBook OS
Working to bootrom/bootload unlock playbook? What's your progress?
Similar Threads
-
What should app developer do to keep PB app awake?
By kwelamnp in forum BlackBerry PlayBookReplies: 41Last Post: 11-14-13, 06:41 PM -
How To Back-up 3rd Party Applications on Z10?
By JustfrEe in forum BlackBerry Z10Replies: 4Last Post: 09-06-13, 07:10 PM -
BBM to compete directly with Skype: calls to telephone numbers? (Speculation)
By lorax1284 in forum General BBM ChatReplies: 2Last Post: 07-25-13, 10:33 PM -
Need Developer for Sideloading android app to .bar (can installed mass)
By Nicko Christian in forum Developers LoungeReplies: 5Last Post: 07-25-13, 07:39 PM -
Switch to international character set for SMS!
By Matt Vairy in forum BlackBerry Curve SeriesReplies: 1Last Post: 07-23-13, 09:10 AM
LINK TO POST COPIED TO CLIPBOARD